[Full-disclosure] Re: [AppSecInc Advisory MYSQL05-V0002] Buffer Overflow in MySQL User Defined Functions
David Litchfield
davidl at ngssoftware.com
Tue Aug 9 01:38:45 BST 2005
> Buffer Overflow in MySQL User Defined Functions
> Risk level: LOW
> Credits: This vulnerability was discovered and researched by Reid
> Borsuk of Application Security Inc.
How can this even be marked as low risk? If you're loading a library into
mysql's address space then you're already executing "arbitrary code". It's
important that we, as security researchers, don't desensitize the readership
with pointless "vulnerability" posts otherwise people begin to turn off.
Sure - you've found some sloppy code in mysql - get it looked at by all
means but please don't try to create a risk, whether low or not, where there
really is none.
Cheers,
David "got out of the wrong side of bed this morning" Litchfield
Full-Disclosure is hosted and sponsored by Secunia.